Allow empty attribute sets in CSRs

While each attribute must contain at least one extension, it is not
required that a CSR have attributes at all. Instead of signalling an
error by returning NULL if no extensions are found, return an empty
stack of extensions.

Via OpenSSL 1f02ca2d

ok jsing

1 files changed, 4 insertions, 2 deletions

diff --git a/src/lib/libcrypto/x509/x509_req.c b/src/lib/libcrypto/x509/x509_req.c
index 8d5bf58509..c0a2a64a0b 100644
--- a/src/lib/libcrypto/x509/x509_req.c
+++ b/src/lib/libcrypto/x509/x509_req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_req.c,v 1.28 2022/01/22 00:34:48 inoguchi Exp $ */
+/* $OpenBSD: x509_req.c,v 1.29 2022/08/18 16:26:33 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -224,7 +224,9 @@ X509_REQ_get_extensions(X509_REQ *req)
                 ext = X509_ATTRIBUTE_get0_type(attr, 0);
                 break;
         }
-        if (ext == NULL || ext->type != V_ASN1_SEQUENCE)
+        if (ext == NULL)
+                return sk_X509_EXTENSION_new_null();
+        if (ext->type != V_ASN1_SEQUENCE)
                 return NULL;
         p = ext->value.sequence->data;
         return d2i_X509_EXTENSIONS(NULL, &p, ext->value.sequence->length);